Thursday, February 12, 2009

Defeating computer forensics is an attempt to prevent data from being recovered and used in a criminal or civil case. The idea is to make it impossible for a computer forensics examiner to find evidence by doing something to a computer or hard drive to make it unrecoverable.

Challenging computer forensics can occur when an examiner does recover evidence and it is used as part of a civil or criminal case.

There are two significant reasons to understand the process of challenging digital evidence:

1. As the primary expert examiner, you must understand how an opposing expert goes about challenging your findings.
2. As the opposing expert, you must understand how to go about challenging the findings of the primary expert.

Many people might think that evidence equals facts and therefore, how can you challenge facts? It is or it isn't there.

While that is true in a sense, the question that must be raised is whether or not those facts really apply to the issue at hand.

Probably the number one mistake I see people make is assuming that if the other side does not find incriminating evidence, that there is no need to use an expert examiner in a case.

However, that completely overlooks the possibility of that same set of evidence providing exculpatory facts that can be used to challenge the other side's case, independent of whether or not they plan to introduce digital evidence.

As one of the very few defense experts out there, I spend the majority of my time challenging the findings of law enforcement examiners.

Every case has something I call challenge points; Steps in the overall processing of evidence have specific points where mistakes are commonly made by the person executing that particular phase of an investigation.

However, beyond that, in many cases I work, law enforcement may not have found anything on the computers to support their case. Defense attorneys I work with will still get the computers for me to examine to make sure that there isn't something there that will support the innocence of their client.

On the other side of the fence, where I am the primary examiner in a civil case or in a domestic case, being aware of those challenge points makes me focus on being a better examiner.

In civil cases, rules are not as stringent as they are in criminal cases. However, properly doing an examination to the same standards as a criminal case makes it much harder for my findings to be challenged if the other side has an expert of their own.

And since you never know when a civil or domestic case will turn into a criminal case, your standards must be at a level that they are defensible by you in a court of law.

My point is that you should never make assumptions about a case where computer or cell phone forensic evidence is part of the case.

Just because the other side didn't find something to use, you may find something that can be used to provide a challenge to the overall case.

Totally reinforces my statements that Forensics is debate and discussion, as opposed to Forensic Science.

Any examiner (or analyst) of evidence must be prepared to be challenged by the other side. They must be prepared to debate their findings, their process, and their tools. They should also engage in a validation of their own processes and tools ... in essence, challenging themselves.

About EX FORENSIS

This is where I share my thoughts on the digital forensics field, talk about recent court rulings that impact digital forensics and anything else that comes to mind; mostly serious, sometimes not so much.

All writings on this blog are the original works of the author, Larry E. Daniel, unless otherwise stated, and are subject to the copyright laws of the United States.

Disclaimer

I am not an attorney. Nothing I post in this blog is intended to be, nor should be considered as legal advice. If you have a legal question you should seek the services of a licensed attorney in your area. Guest authors or others who are invited to post here are covered by the same disclaimer. Nothing on this blog is legal advice.